Privacy Audit

Access Services Privacy Audit

Access Services Overview

San José Public Library’s Access Services Department is a multifaceted unit that consists of various King Library and system wide responsibilities. In regards to this privacy audit we will focus on the units’ responsibility around the integrated library system (ILS), Sierra.

Access Services and more specifically System Support works to maintain the customer database, including running and gathering data from the customer database. This work includes the purging of customers and customer data as indicated by our yearly schedule or as needed requested by administration.

System support is responsible for gathering and maintaining system wide circulation statistics. In addition, they are tasked with overseeing the data exchange with our collection agency, Unique Management Services (UMS) and handling customer inquiries about accounts that have been referred to collections.

Recently, System Support has been tasked with assisting LIT in the creation of staff logins to the ILS and assisting Technical Services with the maintenance of loan rules and location codes as they relate to the ILS. Other recent projects include the training and implementation of RFID staff workstations, self-checks, and payments on self-checks. We have also been asked to participate in various projects as it relates to the customer database. This includes data extraction for the predictive scheduling project, bad debt write offs and data as it relates to reports and grants.

Information Collected

Integrated Library System: Sierra

Patron Database

The customer database is populated by a paper application that is inputted by staff or an electronic application that is inputted by the library customer. In either version the following information is requested:

• First and last name
• Birthdate
• Mailing address
• Email address
• Telephone Number
• Parent/Legal Guardian name and/or driver’s license (for children under 18)
• Sign up for a library newsletter (optional)

The paper application is retained for the period necessary to input the information into our database after which, it is shredded. The only exceptions are the teen cards. These applications are maintained for three months at the location where the customer applied. The online application is maintained in the database for 60 days or until the customer visits one of our locations to get their card issued. Unclaimed accounts are purged every 2 months.

When applying for a card, customers must provide a picture ID and proof of address. The library does not create unnecessary records, only retains records required to fulfill the mission of the library, and does not engage in practices that would place information on public view.

The library deletes customer records from the system once a year based on the following criteria:

• Expired for 2 years
• Not active for 4 years from the date report is run

Customers meeting either of these two requirements must also have:

• Fines less than $10
• No items checked out

Only authorized library staff have access to the personal data stored in the ILS. Access to this information is only to be used in regular library operations. Except when required by law or to fulfill an individual customer's service request, the library will not disclose any personal data collected from customers through the ILS.

Logins to access the customer database are created at the branch or unit level. Staff are able to use that login for sole purpose of performing library work. This login allows staff to perform the following functions as it relates to the customer record:

• Create a new customer account
• View and edit customer account information. PIN numbers are encrypted upon entry and may only be edited.
• View and edit fine information
• View and edit holds and requests

Most frontline library staff and those working in technical services have access to the ILS (librarians, clerks, library assistants, pages, and managers). Library aides, whose main function is to shelve, have very limited access to the database and only use it to check in materials. Individual logins are created for various staff and units; their permissions are based upon the tasks they need to complete. For example, staff in Technical Services has permission to print spine labels or have access to orders, but staff on the Web Team would not be provided the same permissions since they do not need those functions.

Circulation Records

A customer's library record includes items currently checked out or on hold, as well as overdue materials and fines. The library does not maintain a history of what a customer has previously checked out. After materials have been returned the item is deleted from their account. When fines accrue on a customer's account, the library does maintain records of items that have been borrowed, but returned after the due date, or are still outstanding on the customer's record.

Fines paid data is maintained in a library customer's circulation record. The fines paid data is a listing of items that have been returned late, lost or damaged while it was checked out to the customer. Fines paid data is used to show the history of payments made on the customer's fines and fees. The fines paid data is maintained for the financial and record keeping purposes. Fines paid data contains:

• Title of item
• Item barcode
• Date checked out
• Date due
• Date returned
• Date paid
• Amount of fine
• Location of payment
• Staff Login

Item records also keep details of the last customer who checked out the material. This information is only accessible by staff for regular operational duties (lost, missing, or damaged items). A customer will stay attached to this record until the item is checked out again.

Fines paid information should be maintained for as long as necessary to meet the needs of the Business Office and their bookkeeping requirements. This will require collaboration with the Administrative Officer and her staffs need with the information that is stored in the fines paid file. Tentative due date is the end of this fiscal year.

Circulation Statistics

Circulation statistics are gathered on a monthly basis and reported based upon the fiscal year. They are used in reporting customer usage, to secure funding, to make informed decisions about materials to purchase, and to identify trends for future projects. We gather the following information from our ILS for circulation statistics:

• Number of times items checked out in a specific location code
• Number of renewals in person versus website
• Number of checkouts on self-check machines versus staff stations
• Number of returns via our automated handling system (AMH) versus staff stations
• Circulation of electronic resources

No customer information is gathered in the collection of these statistics. These statistics are accessed and compiled by the System Support unit.

Unique Management Services (UMS)

Unique Management Services is the debt collection agency contracted to handle customer accounts which have gone into default, meeting the following criteria:

• A billed item
• Fines and fees over $50

We provide UMS with a submission file from the ILS. Submission files are a list of customer accounts newly selected for collection activity based upon the criteria established within the collection agency module/interface and is generated on a daily basis. The submission report provides limited customer information including:

• Patron Record Number
• Name
• Address
• Telephone Number
• Legal Guardian/ Parent Name and driver's license (if under 18)
• Birthdate
• Patron Type
• Home Library
• Delinquency date
• Money Owed (only the dollar amount is provided, UMS does not receive title information to ensure customer confidentiality is protected)

The synchronization or "sync" report is a quality assurance tool that provides a listing of all accounts flagged for collection activity along with their current balance. The purpose of the "sync" is to verify that UMS balances match library balances. The sync report will typically be initiated by a customer service technical analyst at UMS, but this process can be initiated by the library at any time.

UMS provides library staff access to a cloud-based database of library customers that have been sent to UMS. This access is limited to the senior librarian of access services and the clerical staff of System Support which consists of a library assistant and a clerk.

OrangeBoy/Savannah

Beginning in October of 2015, circulation and customer data was provided to OrangeBoy for the creation of a predictive scheduling tool that relates circulation activity to the staffing levels at the various branches. Data is uploaded to OrangeBoy on a weekly basis which then populates a dashboard. This dashboard is currently accessible to Administration, Access Services, Web Team, and IT staff since these units are responsible for uploading the requested information. Branch staff has a limited view of the predictive scheduling tool that has been created using the data provided.

Check-In data for the previous week is sent to OrangeBoy, the file consists of the following information:

• Location of check-in
• Date and time of check-in
• Whether the check-in occurred through the AMH or through a staff terminal

Gate count information is sent including:

Number of visitors at each branch for the previous week

In addition, branch staff scheduling is sent including:

Clerical staff hours worked in the following service points: Zone, Materials Handling, Shelving, Tidy, Pull and Holds.

Bibliotheca

In 2016 we underwent the process of converting our collection from a magnetic based security system to an RFID based security system. This new system also integrated the ability for materials to be scanned using RFID devices. The RFID tags are placed in all of our circulating materials and are programmed with the barcode of the item onto which they are attached. The tags do not contain title or customer information.

Bibliotheca is our vendor for the RFID conversion. They provided us with the following devices related to RFID: staff pads, self-check machines, security gates, and handheld inventory devices. Our staff has access to a cloud-based dashboard that allows them to monitor the functions and status of self-checks and security gates. The dashboard provides staff with information about the transactions on the self-checks which include checkouts, renewals, and payments on fines.

The information provided for these transactions varies based upon the function. For checkouts, staff can see the date, time, customer barcode, barcode of items checked out, and barcode of any items renewed. For the security gates, staff can access a tally of people that have walked through the gate and the barcode of any items that have triggered the gate alarm.

Each location has two unique logins. One login provides a higher level of functionality displaying transaction level data and is provided to Branch Managers, Library Assistants and FT or PT Clerks. The other only provides information about the status of the machine and can be viewed by all staff.

ALA Checklist Items

1. Request and store only the personal information about customers necessary for library operations. Periodically remove data that is no longer necessary for library operations (e.g. purchase-request data). If the LMS supports it, use “fuzzy” demographic information wherever possible (e.g. use a “minor/not a minor” classification instead of recording full birth date).
   1. We are in the process of reviewing the paper and online application regarding the information that we gather about our customers. It has been decided that we will continue to collect DOB as it is used for statistical purposes and will provide a way for staff to identify customers with similar names. We will discontinue the collection of the Driver's License and gender as they are not necessary for library operations. A draft of the updated paper application had been completed and awaiting approval. (Needs work)
2. Aggregate or anonymize reports to remove personally identifiable information. Reports should be periodically reviewed to ensure they are not revealing this type of information.
   1. We reviewed the current data we send and have made adjustments to ensure that we are only sending data that is necessary.
      1. OrangeBoy: We are reviewing the necessity of sending customer information since it does not play a role in the predictive scheduling tool that is being created. As of February 12, 2018 we have not sent additional customer and circulation information as a decision is being made about continuing our contract with Orangeboy. We have ceased sending customer information as a decision was made not to use the customer database for messaging or customer segmentation. (Accomplished)
      2. UMS: requires the information we provide in order to effectively contact customers on behalf of the library. UMS extracts information they need, but ensures customer privacy by not extracting information such as titles of items. When UMS is contacted by our customers they refer them to speak directly to library staff regarding their overdue materials as they do not have access to our database. (Accomplished)
      3. Bibliotheca: Creating a schedule for the deletion of transaction on the self-checks. We have been working with Bibliotheca about how this can best be accomplished. We are awaiting their response to be able to move on this recommendation and will implement immediately when we have been provided with the necessary information. We are working with their team to create a regular schedule in which transactional data is cleared from the self-checks on a regular basis. We hope to have this in place by the beginning of the 18/19 fiscal year. (Needs work)
3. Configure the LMS by default to remove transactional data between customers and materials they borrow / access when it is no longer needed for library operations.
   1. We have identified the areas where this information is being stored and created a schedule for how they are to be maintained.
      1. Last patron field: Clear the last patron field every 6 months with the criteria that the item has not circulated in the previous month. This will ensure that staff will still have access to information in situations where the previous customer information may be helpful (i.e. item returned incomplete). This will be implemented at the end of this 17/18 fiscal year. (Needs work)
      2. Fines paid data: fines or fees that have been resolved older than 4 years will be cleared from the patron account. This will coincide with the bad debt guideline of dismissing debts that are older than 4 years. This will be implemented at the beginning of the 18/19 fiscal year. (Needs work)
4. Allow customers the ability to opt-in to personalization features like keeping their checkout history or a list of favorite titles. (Accomplished)
5. Restrict access to customer records in the LMS to staff members with a demonstrated need for it. For example, circulation staff needs access but shelvers do not. (Accomplished)
6. Configure library notifications for holds, overdues, etc. to send a minimal amount of personal information.
   1. We recently received the training necessary to make changes to our current print templates.
      1. Courtesy and overdue emails: we will be able to remove the customer address from the email notifications through the creation of a new template. We are in the process of working with IT to get the new template created. To be accomplished by May 2018. (Need works)
      2. Hold slips: Sierra provides 4 template options for hold slips. The slips need to contain certain amount of information, but we are not able to customize the templates provided by Sierra. The templates from Sierra can shorten or the customer name (first and last), but we are not able to further customize the slip. If we are interested in anonymizing slips further we will need to purchase additional software to do so. To be accomplished by July 2018. (Needs work)
7. Develop policies and procedures regarding the extraction, storage, and sharing of customer data from the LMS for in-house or contracted third-party use. Restrict access to the extracts to appropriate staff.
   1. We do not have formal policies regarding the extraction, storage and sharing of customer data. (Needs work)
   2. We do not have formal procedures regarding the extraction, storage and sharing of customer data. There are an informal set of instructions for staff trained to run these reports about how to extract certain type of information being requested. These are currently house in the System Support Group Drive that is only accessible to a certain group of staff in Access Services. When can review these informal procedures and work on standardizing them and store them in a secure location with a completion date of December 2018. (Needs work)
   3. Extracts are handled by System Support, which is a unit within Access Services. This unit has Sierra logins’ that allow them to create reports that gather information about our customers and circulation statistics. The requests for customer information are usually related to a certain demographics or addresses, and individual information is not provided as the requests are related to trends of a group of users. We are in the process of reviewing logins and permissions provided to different staff members with a completion date of December 2018. (Needs work)

Library Information Technology Privacy Audit

Library Information Technology Overview

San José Public Library is the largest provider of free public computing resources in Northern California. The library logged over one million computer sessions in FY 2016-17. Currently, 1,200 public computers are available for reservation throughout the library system. Privacy and security have been a primary concern since the idea of reserved public computers was put into practice at SJPL in the early 1990s.

To secure our public desktop environment, the library has deployed a product that provides a freshly imaged, clean desktop every time a new customer logs onto a public computer, regardless of what the previous customer may have saved or changed. This same product provides antivirus and antimalware definition files from multiple vendor sources to quicken response time to new cyber threats.

Demand for wifi continues to rise sharply as customers bring enabled devices to the library for free internet connectivity. To meet increased demand, SJPL upgraded the WAN connections at all branch libraries to 1000 Mbps. These connect the library network to CalREN, a high-capacity fiber optic network operated by CENIC, the Corporation for Education Network Initiatives in California. Personally identifiable information (PII) is not collected on the wifi Network, in any form. This platform allows for high-capacity connection to the internet, but also other participating public libraries, schools, colleges, and universities with a high level of privacy and security.

The library recently converted its website to HTTPS, and has secured the catalog access page with a certificate as well. Providing an encrypted connection for customers authenticating on the library websites protects the privacy and integrity of their data and library website and catalog browsing. In addition to these measures, the library recently added Linked eCommerce to the catalog site to enable secure payment of fines without passing any personal information between organizations. Customers look to the library to protect their data, and this upgrade is in line with that strategic direction.

In order to maintain strict control over any other potentially sensitive data, as well as to provide mobility and stability to our environment, SJPL utilizes open-source platforms for notifications and alerts pertaining to server and network resources. These tools have been implemented with great success, with the added benefit of preserving the Library Information Technology Department’s (LIT) budget for public resources.

Privacy has always been a core focus for SJPL, particularly when it comes to how we provide technology services. We understand the importance of open access to information where lifelong learning is concerned. It is the goal of our organization to provide such access without fear of identity theft, damage to personal data, or reprisals of any kind.

Information Collected

The San José Public Library maintains data linked to customers in as limited a fashion as needed to provide public services. Below are the sources of structured data that could be linked to customer privacy.

Catalog System – Innovative Interfaces, Sierra ILS

• The Sierra ILS catalog system is the most important utility in the library’s array of technical resources. It contains item records for every book, audiobook, DVD, CD, tablet, laptop, and other loanable material in SJPL’s inventory. Sierra is also used to manage acquisitions and book vendor accounts. Most importantly for the discussion of privacy, Sierra maintains a database of customer records that allows our customers to check items in or out. It keeps track of every item’s status, manages holds for customers, and can send alerts to remind them of return due dates. In order for a customer to have an account within Sierra, certain unique identifiers are required to associate an individual with a library card number.
  • Current policies and procedures dictate that a customer must enter their name, date of birth, and address when filling out the form to receive a library card. It is optional (but encouraged) for them to enter their phone number and email address as well. If desired, a phone number or email address is typically used instead of physical addresses when sending notices.
  • Sierra does not log customer activity or keep any records of past check-outs.

• In accordance with state laws outlined in California Government Code sections 6250 through 6270, it is the policy of SJPL to ensure that customer records and registration data are kept confidential. Library staff has access to all item and customer records in the Sierra database, as allowed in the same California Government Code sections. Library staff does not share any information kept in these records with any outside agencies except by order from an appropriate superior court.
• Backups of the Sierra application server and the Sierra database server are taken nightly and encrypted. They are taken in multiple formats, de-duplicated, and stored in multiple locations. Once each week, an additional encrypted copy of the Sierra database is sent off-site to be stored for a five week rotation to meet the needs of our disaster recovery plan. Staff in the Access Services Department does an annual purge of customer accounts. If accounts meet the following criteria, they will be deleted:
  • Account has been inactive for four years.
  • Account has been expired for two years.
  • Account does not contain fines exceeding $10.00.
  • Account has no items currently checked out.
• Otherwise, customer accounts remain within Sierra for as long as the customer wishes and as long as they continue to use library resources.

Public Computer Reservation System (RAC)

• The Reserve-A-Computer system is a proprietary client/server database that resides within our VMware environment. All public computers maintain a local client that manages the session time and logs the customer out when the session is over. A user index is created on the RAC server, but does not link users to particular sessions or IP addresses. This index is not publicly accessible. The information contained is limited to name, library card number, and PIN. These are necessary to maintain high availability of the computer reservation system in the event of an ILS outage or network disruption. All PII is purged from the system immediately after the user logs out of their session. Booking stats, that list time and duration only (no PII), will remain in the system for two months. Reports about the number of reservations per branch are listed on the library Intranet.
• Management of the RAC database is limited to a small number of individuals in LIT with administrative rights. There is some reporting available to general staff, and they can change future reservations and check the status of current reservations, but library staff does not have access to any personally identifiable information in RAC.
• The RAC server OS and system state is backed up every 48 hours. These backups are kept for 30 days. No PII is included in any of these backups.

Public Computers - Local Storage

• The reservable public computers at SJPL provide a relatively open desktop environment for our customers to work with. This level of freedom could leave them open to exploitation from websites they visit, but not because of any residual data stored locally on the workstation. At the end of each individual computer session, reboots are forced by our Reserve-A-Computer program. All public computers wipe all changes made by the customer each time the computer is rebooted. There are no local search history records available after a customer leaves our workstations.
• Because no history exists locally, no library employee has access to any PII or locally stored transaction logs identifying the customer or the customer's activities.

OrangeBoy/Savannah

• OrangeBoy is a cloud service vendor that provides scheduling and resource analysis to schools and libraries so they can improve customer service and satisfaction levels. They store this data offsite, in their datacenter, in a proprietary format. LIT provides them with usage reports from RAC, staff scheduling data, and reporting-level access to our wifi management console. OrangeBoy used to get booking reports from RAC, but it has been determined that booking data is not part of SJPL’s business requirements, so we do not store that information any longer. There is a great deal of usage data, but none of these contain PII.
• Knowledge of who has access to this information is held by OrangeBoy, Inc.
• OrangeBoy is obligated to purge the data at the end of their contract with SJPL.

Active Directory

• The library uses Microsoft Active Directory 2012R2 for directory services in the combined San José Public Library and San Jose State University Library (SJSU) infrastructure to provide a central management of domain rights and authentication, access to domain resources, and security policies. Although SJPL is a department belonging to the City of San José, we have a separate domain infrastructure independent from that of the city’s domain structure and do not share any relationships between the two domains. SJPL maintains approximately 3000 domain objects including just over 600 City customer accounts and 1000 City workstation and server accounts.
• No public or customer data is currently stored in Active Directory.
• Staff customer information stored in Active Directory (AD) contains only work-related information such as customer’s name, position title, office location, work phone number, and customer’s city employee ID that only has relevance in the City’s HR system. There is no integration of the library’s AD directory to that of the HR systems so personnel’s personal information is only accessible through the HR system using separate access credentials.
• Access and management of AD are limited to the select individuals designated with the roles of Domain Administrators and Account Operators, allowing them to maintain the directory services.
• Active Directory information is kept for the duration of employment of each staff member. Upon termination, customer accounts are disabled for a period of 3-6 months, to ensure access to archived city-owned data. Once it has been established that no city-owned data is needed, or the data has been securely archived, the customer accounts are deleted. Computer accounts are deleted as soon as the physical hardware is removed from the system.

ASA Logs

• The transaction logs for SJPL’s firewalls are located on file servers within the Server VLAN. Although there is no PII within these logs, if used in conjunction with two other forms of data in our server farm, a customer on a reservable public computer (not a wifi customer) could be identified during the three-day retention period applied to our RAC server logs.
• Management of the ASA log server is limited to a small number of individuals in LIT with administrative rights.
• ASA logs are stored for 14 days and then discarded.

Partner Organizations

SJSU ITS

• San José Public Library maintains a partnership with San Jose State University, sharing their main library building. SJSU ITS does not have access to the customer database for SJPL, its passwords, or any personally identifiable information. However, they act as the internet service provider (ISP) for the Dr. Martin Luther King Jr. Main Library (MLK). As such, SJSU possesses the ability to log all internet traffic coming from MLK.
• SJSU ITS also maintains the public wifi system for MLK. They retain control of all switches and WAPs in MLK, and have the ability to log all wireless traffic and link it to any Layer 2 (MAC) address.
• The list of customers who have access to information kept in firewall gateway logs is known only to SJSU ITS, but they are subject to the same standards as SJPL, and bound to the legal responsibilities outlined in the Family Educational Rights and Privacy Act.

City of San José

• The library maintains a one-way, encrypted VPN connection with the City of San Jose’s network to provide library employees with uninterrupted access to City resources. There is no public information passing through this connection, nor does any non-library city employee have access to library data.

CENIC

• CENIC is the ISP for all branch library internet traffic. Their logging and data retention policies are beyond the control of SJPL. While CENIC as an organization does not have access to any personal customer data, they do have the ability to log all internet traffic by NAT. Each branch library contains several NATs, dedicated to service for the wifi network vlan, public computer vlan, etc. The location of data stored within CENIC is proprietary information, as is the list of customers who have access to it.
• CENIC is the designated Digital Millennium Copyright Act (DMCA) Agent for all of the internet facing IP addresses assigned to SJPL. This means that in the event of copyright infringement, CENIC assumes the legal responsibility of notifying the online service provider (OSP), in this case SJPL, of the Notice of Claimed Infringement. The American Library Association’s legal counsel has suggested that libraries interpret the category broadly in order to benefit from the safe harbor established in Section 512. Because detailed customer logs are not part of SJPL’s business requirements, we do not possess the ability to link individual customers to source IP addresses. We do have acceptable use language included in the terms and conditions displayed when customers “accept” and connect to our Wifi or log into a public computer. As such, safe harbor in Section 512 applies.

ALA Checklist Items

1. Encrypt all customer data with secure algorithms in all network and application communications.
   1. All network traffic is not currently encrypted, though portions of our network are physically separated, logically separated, and some client/server connections are encrypted. (Needs Work)
2. Purge search history records regularly, ideally when the individual computer session ends.
   1. At the end of each individual computer session, reboots are forced by our Reserve-A-Computer program. All public computers wipe all changes made by the customer each time the computer is rebooted. There are no local search history records available after a customer leaves our workstations. (Accomplished)
3. Establish minimum security practices for devices and services.
   1. Library IT has minimum security practices for all servers, workstations, databases, services, and network equipment. (Accomplished)
4. Change any default passwords.
   1. It is the LIT's policy to change all default passwords for any system installed on our network. However, passwords used by generic accounts are often left in place by staff for long periods of time, producing the same type of vulnerability. (Needs Work)
5. Disable remote access to the supercustomer account (i.e. root or administrator).
   1. The library does not use any supercustomer accounts for remote access. Innovative Interfaces, Inc. does use their own version of a supercustomer to access Sierra remotely, but this is an industry standard practice. (Accomplished)
6. Keep all software up-to-date using a secure and verified source.
   1. Third-party software is used to update all of our public computers, utilizing only pre-approved software packages and industry standard update methodology. Windows updates are done through Microsoft Update Services. Changes to any computer images are a group effort, and require oversight at the engineer and management levels. (Accomplished)
7. Require authentication for all client connections to services that allow access to customer information.
   1. Authentication is required for all client connections to services that allow access to customer information. (Accomplished)
8. Limit clients to only the access they need, i.e. the least privilege model.
   1. It has always been the policy of LIT to limit clients' access to only what they need. For Sierra and all other client/server databases, the least privilege model is deployed according to industry standards by LIT. For public workstations, the least privilege model is accomplished by utilizing tools that remove and restore all “change blocks” from the HD after each customer session. Thus, a customer’s ability to access and manipulate digital information over the internet is relatively unhindered. (Accomplished)
9. Enable mutual authentication of server and client if supported.
   1. Most systems deployed by SJPL do not support mutual authentication, but we would be well-served to explore options in this regard. (Needs Work)
10. Use a secure authentication standard such as oauth when feasible.
    1. This has not been deployed at SJPL, but the feasibility of third-party authorization for public services is questionable. One solution might be to provide this service for remote access to Sierra, in place of our current plan to deploy an encrypted VPN tunnel. (Needs Work)
11. Implement a logging policy for devices and services that covers rotation and retention, types of data collected, and the implications on customer privacy.
    1. A clear definition of the parameters of this goal/target is needed. However, LIT does not log all aspects of retention and/or rotation. (Needs Work)
12. Limit administrative privileges to authorized individuals through customer access controls or the sudo program.
    1. SJPL has dozens of systems and services that allow the library to function. All systems linked to the business requirements of the library, or that maintain digital information are managed centrally by LIT or in a few cases the controlling department (Access, Tech Services, etc.). (Accomplished)
13. Harden security on devices and services.
    1. A little context is needed for this goal, but LIT has made it a priority to harden security on all devices we provide to the public. The issue with hardening security is that it often requires logs or restrictions that are contrary to the protection of privacy. For instance, if a customer has the ability to purge their own material, it means that permission levels on the workstation for that customer will be high, and will subject the workstation to added vulnerability to malware. (Accomplished)
14. Disable any extraneous services that are running on devices.
    1. It has always been the policy of LIT to disable unneeded services on Windows Servers and workstations. We do not guarantee that ALL unneeded services are disabled. Some (like Microsoft .NET framework) provide enhanced performance but are technically extraneous. (Accomplished)
15. Require a unique password for each instance of a service.
    1. Depending upon the definition of "service," we may or may not have accomplished this goal. All SJPL databases are on single instance servers, so by default they will have unique passwords. (Accomplished)
16. Implement and enforce a strong password policy that specifies password length, formation, and duration. Consider using randomly generated passwords.
    1. Password complexity rules have been in place for staff authentication since the library’s opening of MLK. These apply to all internal database, but not to proprietary databases, including those used by Sierra. LIT is in the process of incorporating complexity rules and password expiration dates for all Sierra customer accounts. (Needs Work)
17. Encrypt data communications between client applications and server applications that may include customer information.
    1. All transactions that take place over the internet involving customer information are encrypted with 2048 private key. Internal communications between the database and application server are also encrypted. However, the library is not currently PCI compliant, which is the necessary standard to meet all requirements for this recommendation. (Accomplished)
18. Configure services when possible to require encryption by default, i.e. do not allow unencrypted connections.
    1. Most web services utilized by SJPL are proprietary and under the dominion of each vendor. In so far as LIT services are concerned, only the website utilizes forced encryption. (Needs work)
19. If services do not support encryption (e.g. SIP2), use an encrypted transport such as SSH tunnel or a VPN.
    1. SJPL does not utilize VPN tunneling for each Sierra Client and/or AMH device. As previously stated, PCI compliance would be the standard here and SJPL does not currently have a PCI compliant network. PCI compliance is on our project list to begin late FY 17/18. (Needs work)
20. Encrypt sensitive data at rest (i.e. data warehouses, archives, tapes, offsite backups, etc.)
    1. All data at rest in tape libraries or offsite are fully encrypted. (Accomplished)
21. Store passwords in applications using up-to-date best practices for encryption (i.e. hashed and salted).
    1. All passwords stored in Active Directory and Sierra meet the proposed standards. (Accomplished)
22. All remote access (including SSH) should be through secure keys not passwords.
    1. VPN with encryption is not currently required for Remote Access. LIT is in the process of installing these keys on a new firewall. (Needs work)
23. Keys should be no less than 2048 bit, 4096 bit is preferable.
    1. The library obtains all certificates from In-Common, under contract with California State University. All in use are 2048 bit, but no encryption key is more than 2048 bit. (Accomplished)
24. Do not allow deprecated or insecure ciphers.
    1. No SJPL encryption keys are renewed. All are discarded and replaced upon expiration date. (Accomplished)
25. Ensure private keys are secure (use subkeys and keep master keys very safe).
    1. All private keys are stored offsite by In-Common. SJPL can access them remotely through a management console. None are available on locally stored data. (Accomplished)
26. Rotate keys regularly and be ready to revoke them in case of compromise.
    1. SJPL rotates all keys upon their expiration. The length of time varies, but two years is a standard. (Accomplished)
27. Review the protocols employed by devices and services.
    1. A review of all protocols will be lengthy and beyond the scope of this document. However, as per the recommended ALA guidelines, LIT has always endeavored to keep protocols and practices standard, established, and open. All of our network monitoring is via open-source tools on Linux-based servers. (Accomplished)
28. Support data integrity including origin authentication, non-repudiation of origin, non-repudiation of receipt, and verification of payload using cryptographic signature or a hash.
    1. N/A
29. Verify security of devices and services by using penetration testing tools.
    1. The library undergoes what amounts to a bi-annual security audit by either the City of San Jose or the California State University. While the results of these audits have always been satisfactory, there has only been one outside audit conducted by an external security vendor in the past seven years. As part of our forthcoming PCI compliance project, an additional privately conducted security audit will be conducted. LIT requires additional training to keep current on methods for performing thorough internal penetration testing. (Needs Work)
30. Ensure that all services directly under library control are secure.
    1. This is the highest priority of the Library Information Technology Department. Through annual training, internet research, peer review, and scheduled upgrades, we work daily to provide the most secure environment possible to our customers. However, no organization is ever completely secure if it is connected to the internet. The work will always be there. (Needs Work)
31. Stay aware of and remediate known exploits.
    1. As much as possible, LIT has a policy of proactive adjustments to exploits. They number in the thousands and change every day. It requires constant diligence and effort. No organization is ever completely secure if it is connected to the internet. (Needs Work)
32. Keep software and applications up-to-date.
    1. See recommendation number 6. (Accomplished)
33. Monitor logs for intrusions and perform regular security audits.
    1. Additional measures are not taken to monitor security logs for intrusion, though intrusion detection software runs at all times to monitor the network gateway. (Needs Work)
34. Perform regular backups and have a disaster recovery plan. Note that backups should be subject to your policy on data retention.
    1. LIT performs nightly backups of all servers in the form of VDP images. An open source backup client is utilized to backup data to disk. Full data backups are also sent off-site once a week, and are retained for five weeks. (Accomplished)
    2. A disaster recovery plan is in place, but does not include co-location at this time. Development of a co-location site is in progress. (Needs Work)
35. Encrypt all online transactions between client applications (web browsers, eBook readers, mobile apps, etc.) and server applications using modern, up-to-date security protocols for SSL/HTTPS. Communications between server applications and third-party service providers should be encrypted.
    1. Communications between the library’s catalog and its database server are encrypted, as are all communications between the library’s website and its customers. (Accomplished)
    2. LIT has no control over what third-party vendors present to customers when they log in, but a wildcard certificate is being applied that will allow all vendors to encrypt their transactions with our customer. Vendor links to our client database and any transactions are also password protected via SIP2. This connection needs work, but great effort has been put forth to protect the privacy of customers.
36. Store customer passwords using up-to-date best practices for encryption with a cryptographically secure hash.
    1. All passwords in Active Directory and Sierra meet the proposed standards. (Accomplished)
37. Ensure that any personally identifiable information and customer data housed off site (cloud-based infrastructure, tape backups, etc.) uses encrypted storage.
    1. All off-site backups are encrypted before being transported off-site. Because SJPL maintains a “software only” relationship with III, no personally identifiable information is stored in a cloud-based environment. (Accomplished)
    2. Creation of a co-location center as part of our disaster recovery plan may require the transfer of some PII into a cloud-based DR site. If that situation should occur, all necessary precautions will be taken.
38. Explore the possibility of two-factor authentication and implement if possible.
    1. After some consideration, multi-factor authentication has not been deployed at SJPL. Not every customer has access to mobile devices or even email, so MFA could disrupt customer access to their own information. (Accomplished)
39. Encrypt offline data backups to prevent access by unauthorized personnel.
    1. All offline backups are encrypted when copied to disk. Any backups are encrypted before being transported off-site. (Accomplished)
40. Keep ILS applications and underlying server software up-to-date to mitigate the impact of security vulnerabilities.
    1. Library IT updates the ILS version as necessary. As of this writing SJPL has the most current version of Sierra. New versions are not usually applied immediately, so that they have time to mature. (Accomplished)
    2. Our ILS has at times kept us from upgrading the operating system used to serve Sierra. SJPL has Sierra loaded on RH ver 6.9, due to the limitations of the ILS vendor. Our version is kept up to date as per industry standard processes.
41. Store all passwords (customer and staff) in a secure fashion using a proper cryptographic hash function. At this time bcrypt or better are good standards.
    1. Encryption methods used for ILS passwords are an accepted industry standard, and meet the standard recommended, but their proprietary nature means that we do not know the precise encryption methods.
    2. Active Directory passwords meet the recommended standards for this document. (Accomplished)
42. Encrypt all traffic between the ILS server and any client connections outside a secure LAN. For example, use a VPN to encrypt the connection over the Internet of a checkout station at a branch library to the ILS server at the main library.
    1. All transactions that take place over the internet involving customer information are encrypted with 2048 private key. Internal communications between the database and application server are also encrypted. However, the library is not currently PCI compliant, which is the necessary standard to meet all requirements for this recommendation.
    2. LIT is in the process of creating an encrypted VPN connection for client access offsite. (Needs Work)
43. Conduct regular audits of the network and ILS servers to make sure reasonable security measures are in place to prevent unauthorized access.
    1. The library undergoes what amounts to a bi-annual security audit by either the City of San Jose or the California State University. While the results of these audits have always been satisfactory, there has only been one outside audit conducted by an external security vendor in the past seven years. As part of our forthcoming PCI compliance project, an additional privately conducted security audit will be conducted. (Accomplished)
44. Create procedures to handle data breaches to unauthorized parties and mitigate their impact on customers.
    1. There is not an existing, vetted process or procedure for handling data breaches to unauthorized parties. Although research into appropriate responses has begun with LIT, a formal procedure has not been created. (Needs Work)
45. Use analog signage and/or splash screens to explain the library’s network and wifi access policies, including any privacy-related information.
    1. Every public computer has a login page that contains some limited Terms and Conditions of the usage of public computers at SJPL. The welcome page for wifi connections contains the same type of language. Analog signage exists throughout the library to provide direction regarding the usage of RAC computers. However, the language in all of these forms needs to be reviewed on a regular basis to address new issues as they come up. (Accomplished)
46. Make a policy decision about the level of privacy versus convenience that the library will offer its wifi customers and adequately warn customers of potentials for traffic interception and other risks of an insecure network.
    1. This conversation is ongoing, and will continue in perpetuity. LIT makes adjustments to accommodate customer needs and concerns every time we re-image our standard computers or consider adding services. This will always need work. (Needs Work)
47. Set up public computers to purge downloads, saved files, browsing history, and other data from individual customer sessions.
    1. At the end of each individual computer session, reboots are forced by our Reserve-A-Computer program. All public computers wipe all changes made by the customer each time the computer is rebooted. Any downloads or saved files are overwritten and purged from the computer. The same is true for all history files. There are no local search history or browsing history records available after a customer leaves our workstations. (Accomplished)
48. Use antivirus software on all public computers. Ensure that antivirus software is installed and that it can block spyware and keylogging software.
    1. All public computers are loaded with an anti-virus/anti-malware solution that utilizes definition files from multiple sources. This gives the AV software a better chance of catching new or mutated malware. It protects against spyware and keylogging software. LIT has also disabled auto-run as an added measure to prevent an accidental file transmission from a customer’s USB flash drive. This latter measure also serves as a first line of defense against ransomware. (Accomplished)
49. Ensure that any computer reservation management system records, print management records, or ILS records regarding computer use are anonymized or destroyed when no longer needed.
    1. Our computer reservation management system (RAC) destroys personally identifiable information three days after the initial reservation. Print management records do not contain any PII. The ILS database does not contain details about computer usage. (Accomplished)
50. Anonymize or destroy transactional logs for network activity when no longer needed.
    1. All network activity logs are destroyed after 14 days. (Accomplished)
51. Perform regular security audits on all public computers, including digital inspection of security risks and flaws and physical inspection for unknown devices.
    1. There is an ongoing analysis of performance and security risks and flaws for all public computers, resulting in image updates as needed. Since no changes remain on the hard drive of any computer after the end of each session, most risks are mitigated.
    2. Physical inspection is done daily by LIT staff at MLK, and by library staff at each branch. The thoroughness of these inspections is debatable, but to date no suspicious or unknown devices have been found. (Accomplished)
52. Install plugins on public computers to limit third party tracking, enable private browsing modes, and force HTTPS connections.
    1. Private browsing modes are enabled on all public computers, but are not mandatory except for the catalog computers. The catalog machines are not reservable and cannot be used to browse the internet.
    2. Other than antivirus/anti-malware software, SJPL does not utilize plugins to limit third party tracking.
    3. SJPL does not force https connection from its public computers, except when accessing library resources. (Needs Work)
53. Install the Tor browser on public computers as a privacy option for customers.
    1. We do not currently offer the Tor browser preinstalled on our public computers, but customers free to install it themselves for the duration of their session. (Accomplished)
54. Install malware-blocking, ad blocking, and anti-spam features on firewalls.
    1. The current firewalls at gateway points of the library’s network have Layer-7 filters installed and configured. The rules applied at Layer-7 may or may not meet the ALA recommendations. (Accomplished)
55. Segment the network to isolate staff computers, public computers, and wireless customers into their own subnets.
    1. All branches have separate VLANs for staff, public, and wifi customers. The same is true for MLK. (Accomplished)
56. Ensure that any applications and operating systems on public computers are disabled from automatically sharing activity data with software publishers (e.g. error reporting).
    1. These features were disabled upon install, but the customers have the ability to make changes during the time of their session. (Accomplished)

Action Plan

The Library Information Technology Department recommends undertaking the following projects to address most of the recommendations that need work or attention. Though we recognize it will be impossible to provide a perfectly secure public environment, we feel the following actions should take precedent as we move forward:

1. Research Tracking Plugins
   Determine the feasibility of installing a plugin similar to products like Privacy Badger that will enhance the privacy of customers by stopping third parties from gathering data through embedded scripts or cookies. Estimated completion: FY 17/18, Q4
2. Data Breach Response Policy
   LIT needs to work with Administration and Executive Staff to create an official policy addressing the library's response to any future data breach. Estimated completion: FY 17/18, Q4
3. Encrypted VPN for Remote Access
   Install and configure a VPN solution that requires encryption comparable to L2TP (min). Research the possibility of including multi-factor authentication. Estimated completion: FY 18/19: Q1
4. Security Audit RFQ
   Solicit a quote for the services of an outside entity to perform vulnerability tests and a regular audit of network security at the San Jose Public Library. Estimated completion: FY 18/19, Q1
5. Department-Wide PCI Compliance
   Redesign network components where possible, and upgrade and install new devices where necessary, to create a Department-wide PCI compliant network. This will allow payments to be securely made onsite at from any location, and will force many of the changes required to meet standards recommended by the ALA. Estimated completion: FY 18/19, Q4

Marketing and Communications Privacy Audit

Marketing and Communications Overview

The San José Public Library’s Marketing and Communications Department interfaces with customer information in a variety of ways. The department is responsible for maintaining and monitoring various social media accounts including:Twitter, NextDoor, Facebook, Flickr, YouTube, Snapchat, and Instagram. We also oversee the collection of information through library contests and sharing of library stories. When a customer is photographed their personal information will be obtained through a model release form to gain permission to share their photo publicly. Our department also handles all requests for information from outside media. Customer information is not released to any media agency. Lastly, we send regular updates to library customers using email newsletters.

What information is collected?

We collect and interact with personally identifiable information from customers to perform regular business operations. Information collected includes:

• Name
• Age
• Address
• Phone number
• Email
• Home library branch
• School
• Occupation
• Grade level
• Social media screen name

How is the information collected?

Information about customers is collected through model release forms, contest submissions, social media, and newsletters.

Model Release Forms

Library staff or volunteers are required to receive written permission from customers when they are easily identified in a picture or video. Model release forms collect a customer’s name, age, address, phone or email, and description of the person. These forms were originally created by the City's Communications Director. We would like to reduce the information collected on these forms to just name, phone or email, and description of the person. Contact with the Communications Director will be made by Friday, April 13, 2018.

Photos and video of customers may be used by the library, the City of San José or San José State University for promotional purposes only.

Library Website

The library regularly runs contests and collects personal stories from customers through its website. The Web Team creates forms using Drupal and the customer information is then sent to a Gmail account. Customers may be asked to give their name, phone or email, address, home library branch, school, and age, grade level, and/or occupation.

Customers may also sign-up for regular updates through our email newsletter. Newsletters are serviced by Constant Contact.

Contests and Library Stories

In addition to collecting information through our website, library branches may facilitate contests and collect customer’s library stories through paper forms.

Social Media

The library operates several social media accounts including: Twitter, NextDoor, Facebook, Flickr, YouTube, Snapchat, and Instagram. Only members of the Web Team and Marketing Team have access to these social media accounts We are currently in the process of developing a social media policy for staff which will provide guidelines for posting and interacting with customers online. This policy is being written with the Web Team and will be completed by June 30, 2018.

Who is the information shared with?

Personally identifiable information about customers is only shared with their consent.

Library Website

The Marketing and Communications Team and the Web Team both have access to information submitted through the library website. Our team can also access email addresses that were submitted to sign up for newsletters using Constant Contact.

Model Release Forms

The information on a model release form is only seen by library staff or a volunteer that initially collects the information. A customer’s first name may be used when the photo or video is published.

Third Parties

If a contest requires a third party to work directly with a customer who has won a prize we will share their name and contact information with them to make those arrangements.

Social Media

Comments, posts, and messages shared through social media or our website may be used in marketing materials. They may also be shared with media, including newspapers. Customers will only have their first names identified unless given approval to share more information. No additional Facebook data analytics or target advertising are utilized at the library.

Where is the information stored?

All paper forms that are collected by the Marketing and Communications Department are stored in a locked cabinet at the King Library.

Digital submissions are deleted upon the completion of the contest.

Library branches maintain all collected model release forms. These are stored in a lock file cabinet with staff only access. Marketing will remind staff about how to store materials by July 1, 2018.

At the end of a contest, all forms are shredded.

How long is the information stored?

Model release forms and any collected library stories are kept indefinitely. This follows the City’s record retention requirements.

Contest forms are shredded by staff after the completion of the contest.

Social media information is kept indefinitely and is stored only on the platform being used.

Partners in Reading Privacy Audit

Partners in Reading Overview

We maintain confidential information for reports to the San José Public Library (SJPL) and California Library Literacy Services. This includes Partners in Reading (PAR) adult literacy services, Together We Read (TWR) family literacy services, ESL, Computer and Online Instruction, and the California State Library (CSL) program, California Library Literacy Services of the California State Library (CLLS), Career Online High School (COHS). Other than COHS, which requires a few more specifics, we collect the same information from all participants in PAR programs.

What information is collected?

Our department may collect any of the following information when engaging with all learners and/or tutor:

• Name
• Address
• Email
• Phone Number
• Emergency Contact
• Date of Birth
• Gender
• Ethnicity
• Educational Background
• Employment/Occupation
• Library Card Number

Adult literacy learners may also be asked to provide:

• First Language
• Birth Country
• Learning Disabilities
• Number of Children under 14

Career Online High School participants may be asked to provide:

• Last Grade Completed/School Attended
• Library Card Number
• Special Education Classes Attended

Gender and ethnicity are required by California Library Literacy Services for reporting. Educational background and employment are for PAR’s records for specialization in matching with learners with tutors who may have key interests.

How is the information collected?

Customers can express interest in participating in PAR programs by completing an intake form online, by mail, in person, or over the phone. Tutors are required to submit their information using the standard volunteer form and process.

Upon entering the PAR reception area, participants and volunteers sign-in on the computer lab sign-in sheet. This includes name, a check box for their status (Learner, Tutor, COHS, or Other), date and time in and out. Currently, we don’t have a way to maintain this private record, but plan to use a record-keeper much like those used in a doctor’s office where you peel the information off and place it on a private desk sheet. This upgrade is planned for Q3 of 2017-18. Also thinking that in the future (next year’s CLLS budget), we may be able to use an iPad to sign in participants and automatically record the info into the reception computer.

Who is the information shared with?

Information on PAR program participants is shared with SJPL, CLLS and CSL in aggregate data categories. No individual information is shared.

Tutors will have access to all information given by learners except for address, email, and library card information. Tutors receive relevant information with an assessment summary written by one of our two literacy program specialists. Tutors are bound by a confidentiality agreement when they enter the program.

For COHS students, the CSL shares individual student information and data with Gale Cengage Learning and Smart Horizons, the school that offers the accredited curriculum, high school diploma, and career certificate for the program. This COHS information posts to a dashboard that is also shared among the PAR/COHS program manager, project manager, and support staff.

Information is used for placement of individuals in PAR programs. Information collected for COHS is used to qualify individuals for scholarships. Each candidate must qualify as specified in COHS guidelines as described in COHS documentation to be considered for a scholarship. For COHS graduates, their names are shared with the City of San Jose Mayor and City Librarian for the signing of certificates. Graduates sign a release to use their names, photos and videos for the graduation ceremony.

Where is the information stored?

PAR program records are maintained in our password protected-database and archived on backup storage. Paper records are kept in locking files. All staff members have password access to the database and can provide input on new customers and their information and are able to lookup information in the locking file cabinets.

The COHS program began in February 2016, and information is maintained and archived in the PAR database and on spreadsheets stored on shared PAR computers. Gale Cengage Learning, Smart Horizons, and CSL also maintain/archive this information as their policies and procedures require.

How long is the information stored?

We maintain our records for 7 years. All information is stored in our customized database for historical purposes. Our Principal Office Specialist is in charge of office operations and schedules the purging of records. Paper records are shredded after 7 years.

Security Privacy Audit

Security Overview

The Security Department services all 23 branches of the San José Public Library (SJPL) and the Dr. Martin Luther King Jr. Library on the San Jose State University (SJSU) campus. Security staff are employed by the City of San José and work closely with officers employed by the University. Library staff and officers collect and obtain information to document non-criminal and criminal, suspicious behavior, violations of customer conduct policy, and to process suspensions, as needed.

Information is used to assist library staff in providing a welcoming, peaceful public space. SJPL may suspend access to the King library and 23 branches to persons who fail to adhere to the SJPL customer conduct policy. Information gathered is used to complete suspension paperwork.

What information is collected?

When a customer is in violation of an SJPL policy standard information is collected to include in an incident report or behavior log. Information collected may include:

• Name
• Date of birth
• Library card number
• Address
• Email
• Telephone number
• Summary of the incident
• History of SJPL incidents

How is the information collected?

Information is collected by any or all of these methods:

• Asking the library patron
• Asking library staff
• Video/camera footage
  • Still photos are obtained through SJSU and those library branches with Closed Circuit TV (CCTV) cameras, University Police body cameras, or asking the patron if they are okay with having their photo taken for suspension records. Still photos assist library staff to identify library patrons, who have been suspended to administer suspension process.
  • Those SJPL branches with CCTV have a 30 day retention period. SJPL branches with CCTV reset video recordings every 30 days. SJSU storage and retention is 1 year.

Incident reports are completed and filed using Incident Tracker. Incident Tracker software documents criminal, aggressive, and high priority incidents that have a possibility of recurring.

Behavior logs are completed for minor transgressions using an online SharePoint form.

Who is the information shared with?

Information contained in incident reports, behavior logs, and suspension paperwork is only made available to SJPL staff and University Police. Library records are not made available to any agency of state, federal, or local government without a subpoena, warrant, court order or other legal document requiring us to do so. These orders must show good cause and be in proper form. We have trained all library staff and volunteers to refer any law enforcement requests to library administrators.

Only the City Librarian and/or their designee are authorized to receive or comply with requests from law enforcement officers. We speak with our legal counsel whenever possible before determining the proper response.

Where is the information stored?

The information can be found in the SharePoint Security page. The SharePoint Security page contents include:

• Incident Tracker (reports)
• Behavior log
• Suspension documents
  • Suspension packet
  • Appeals
  • Re-entry of suspended library patron information

Incident Tracker

Incident Tracker is an archival software that documents criminal, aggressive, and high-priority incidents that have a possibly of recurring. All data is stored and kept indefinitely. Incident Tracker is an online reporting solution that allows library staff to log incident reports electronically, view, and query at any time. Incident Tracker provides detailed analytic reports and trending graphs, can create workflows, and even set automatic email alerts. Staff must use a login and password to access the software. Incident Tracker can be accessed by Branch/Unit Managers, Library Assistants, SJPL and King Library Security Staff, and the Executive Leadership Team.

Behavior Log

The behavioral log is used to document non-criminal, non-repeated behaviors and violations of library policies other than the customer conduct policy. Staff use the behavior log is used as a quick reference to keep informed of specific interactions with customers. The behavioral log is located on Security SharePoint and can be accessed by any library staff member through the SJPL SharePoint page.

Suspensions, Appeals, & Documents

The suspension, appeals, and documents folder on SharePoint contains information on past and currently suspended library patrons. This includes all suspension paperwork, customer photos, information regarding paperwork being served, appeals, blank suspension forms, the customer conduct policy enforcement rubric, and completed re-entry and reinstatement of library privileges documentation.

Suspended customers may file an appeal using the form provided in the suspension packet. The suspension appeals form requires customers to provide their name, address, email, telephone number, a brief summary explaining why they are appealing their suspension, and their request to restore library access privileges. Completed appeal forms are submitted to any SJPL or King Library Security Staff or Branch/Unit Manager. Forms are then immediately given to administrative support staff who coordinates with the Library Administrative Officer and assigned Division Manager to schedule the appeal hearing.

The date/time/location of the hearing is mailed or emailed to a customer within five working days of receiving the appeal form. All appeal hearings are held at the King library. The suspended customer, senior security officer, witness, and assigned division manager must be in attendance at the private hearing. The results of the hearing are then forwarded to administrative support staff, who sends a copy to the customer.

Photos of suspended customers can be posted in staff workrooms, viewable only by library staff and volunteers. The photos are posted at the request of Senior Security Officer. Postings include a photo of the suspended customer and reason for suspension. These postings are limited to customers who pose a safety risk to library staff or patrons, have a high likelihood of visiting that branch, or if the incident occurred at that location.

How long is the information stored?

Incident Tracker data, behavior logs, and suspension/appeals documents are stored indefinitely

Photos postings in the staff workroom are kept for a minimum period of 12 months after which they are shredded.

SharePoint security page is continuously updated to improve access. Non-criminal violations and incidents 12 months and older are relocated to the "Old Suspensions" folder. Criminal violations, 10 years and older, are relocated to “old suspensions” folder. A current retention period of suspension, appeals, records, including photos is under review.

Technical Services Privacy Audit

Technical Services Overview

Technical Services does not collect, extract, or share any personally identifiable information of library customers. All data extracted to vendors or shared with vendors is related to circulation and identification of materials only.

What information is collected?

collectionHQ

Technical Services runs a monthly data extract to Baker & Taylor’s collectionHQ. The data points are attached and include check in and out dates. All information extracted is in the Bibliographic, Item or Authority fields. The old extracts are deleted after the new extracts are run.

Vendor Access to Sierra

Access to Sierra is limited to the catalog and the exchange of order and invoicing information. All access requires a login and the permissions to that login are restricted to the limited tasks required to accomplish the work. Login and permissions are set up by LIT or Innovative.

ALA Checklist Items

1. Develop policies and procedures regarding the extraction, storage, and sharing of patron data from the ILS for in-house or contracted third-party use.
   1. Technical Services does not extract, store, or share any patron data. (Accomplished)
2. Restrict access to the extracts to appropriate staff.
   1. Restrictions are in place (Accomplished)
3. The policy should include disposal/deletion of extracts.
   1. Technical Services deletes all extracts at the point of sending new extracts on a monthly basis. (Accomplished)

Volunteer Services Privacy Audit

Volunteer Services Overview

The Volunteer Services Department of the San José Public Library collects information from volunteers as they apply in order to screen applicants, track volunteer contributions, and report the number of volunteers and volunteer hours contributed to the library.

What information is collected?

Our department collects personally identifiable information in order to process volunteers into the library system. The information collected allows the library to do background checks on volunteers, to assist the volunteer coordinators at branches in assigning volunteers to different tasks, and for Volunteer Away Your Fines events. Only the necessary information to conduct regular business operations is collected. Personal information collected may include:

• First and last name
• Date of Birth 
• Mailing address
• Email
• Phone number
• Age range (13+, 15+, 18+, 21+, or 50+)
• Language proficiency
• Emergency contact information
• Employer
• School
• Highest level of education
• Library card number
• Amount of fines waived

How is the information collected?

Information is collected through a variety of different sources.

Online Volunteer Application

All ongoing SJPL volunteers create a profile in Better Impact, the volunteer management software SJPL uses to track volunteer applications, hours, and impact.

Volunteer applicants are required to enter their first name, last name, date of birth‌, mailing address, email, phone number, age range (13+, 15+, 18+, 21+ or 50+), language proficiency, emergency contact information and how they found out about volunteering. They can also include this optional information; school or place of employment, and highest level of education.

Volunteer Signature Form

All SJPL volunteers return a completed copy of the volunteer signature form before they begin volunteering as required by the City of San Jose legal department.

Volunteer applicants are required to fill in their first name, last name, parent/ guardian signature (if they are under 18), and if they are a one-time volunteer, emergency contact information.

Volunteer Away Your Fines Registration

When someone attends a volunteer away your fines event, their information is entered into an excel spreadsheet so that fines may be waived from the correct account during the event.

The registration sheet has each participant’s first name, last name, phone number or email address, age level (adult or child), library card number, and amount of fines waived.

LiveScan Fingerprint Background Check

All ongoing, adult volunteers are required to submit a fingerprint background check before beginning as a volunteer. No information is collected by SJPL.

Who is the information shared with?

Personally identifiable information is shared with certain staff (library and City of San Jose) and volunteers may access their own information.

Online Volunteer Application

Online volunteer profile information can only be accessed by the volunteer and SJPL Better Impact account administrators (SJPL staff and occasionally specially trained and background checked volunteers).

Better Impact account information is only shared with volunteers themselves (not parents or potential employers). We will only confirm dates of service and hours with potential employers and family members.

Volunteer Signature Form

Signature forms are only accessible to library staff members (librarians, clerks, and branch managers). Staff can make a copy of the signature form for a volunteer upon request.

Volunteer Away Your Fines Registration

These excel files are only accessible by the library staff handling sign-in or waiving the fines for the event.

LiveScan Fingerprint Background Check

Only the SJPL Volunteer Services Analyst (or their supervisor) and City of San Jose Human Resources Staff have access.

Where is the information stored?

Online Volunteer Application

Volunteer information is stored in the Better Impact Software. The Better Impact Privacy policy can be found at https://www.betterimpact.com/siteguide/privacy-policy.

Volunteer Signature Form

Signature forms are stored in a locked file or office at the branch or unit at which they are returned. Forms are filed by last name so that they can easily be located if needed. When a volunteer is archived their signature form is moved into a file marked with the current year so that they can be shredded once 3 years have passed.

Volunteer Away Your Fines Registration

These excel sheets are stored on a staff computer at the library branch that is hosting the event. The form is not printed out. All entries are deleted after the totals for the event are inputted into the system wide tracking sheet (within 24 hours of the event).

LiveScan Fingerprint Background Check

Results of volunteer fingerprint background checks are received and stored by the City of San Jose Human Resources Office. No information on the results of the LiveScan background check are included in the Better Impact Software or in a volunteer’s physical files. Any receipts sent to volunteer services are kept in a secure locked file.

How long is the information stored?

Online Volunteer Application

Profile information is stored indefinitely.

Volunteer Signature Form

Forms are kept for 3 years after a volunteer has left the service of SJPL.

Volunteer Away Your Fines Registration

Registration Excel forms are deleted after the totals from the event are added to a system-wide tracking sheet.

LiveScan Fingerprint Background Check

Background checks are required to be kept for 3 years after a volunteer ends their service to the library.

Web Team Privacy Audit

Web Team Overview

The San José Public Library (SJPL) website provides access to information on library services and events, the library catalog, and various electronic resources and eBooks/eMedia. The website receives over 3 million visits annually, and eBooks/eMedia log over half a million checkouts per year.

The library website (https://www.sjpl.org) is maintained in-house by the library’s Web Team. It is built using the Drupal open source content management system. The Drupal community worldwide numbers over 1 million users, which include several teams focused on security. Drupal provides frequent security updates. Drupal is trusted by many large organizations, including the White House, Tesla, and the American Red Cross.

The library website is hosted on Acquia Cloud, which provides an array of access and authentication controls, firewall controls, defensive security, and frequent security updates. All website traffic is encrypted using https. The library’s IT department makes sure that security certificates are kept up-to-date.

SJPL contracts with a number of third-party vendors to provide a wide variety of electronic resources for on-site and off-site use by library card holders. These resources include downloadable and streaming materials as well as traditional databases.

All of our electronic resources are supplied to us by vendors with whom we contract. Although we have little control over the actions of those vendors, we are committed to

• Discovering exactly what privacy measures our vendor partners are taking
• Discovering the personally identifiable information those vendors collect about our patrons
• Working with our vendors to ensure they meet our privacy standards and requirements
• Using our purchasing/bid process to contract with vendors who are able to meet our privacy standards and requirements

Information Collected

Webforms

The library website includes a number of webforms, which customers may submit for purposes such as applying for special services, submissions to library contests, and requesting online help from staff. These forms collect some personally identifiable information, which should be used solely for the purposes described by the form. We have verified with the library units that have requested these forms that all information requested is necessary and will also do so when any future forms are created. Information collected may include name, age, email address, phone number, physical address, library card number, and other information relevant to the purpose of the form. We have purged webform activity more than 6 months old and have removed this information from both current and archived copies of the website. A similar purge will be performed twice annually, in March and September.

The Web Team uses a webform to collect information (name, email, library card) from patrons requesting to set up an account with Treehouse, one of our eResources vendors. This information is used for its intended purpose and purged after one month.

Webforms do also collect user IP addresses. We are investigating the impact of collecting this data and considering ways to improve anonymity, such as implementing a Drupal module to anonymize this information.

Analytics

We use Google Analytics for statistical analysis of our website usage. We have enabled the "Anonymize IP Address" feature via the Drupal Google Analytics module. Our data retention period for Google Analytics is set to the lowest setting of 14 months for any cases where user-level and event-level data associated with cookies are or might be applied.

We have/are collecting information on the following SJPL-related web properties:

• https://www.sjpl.org - our main website.
• Localist - hosts our library events site. We will no longer be using Localist after June, 2018. Library events will reside on our Drupal site.
• SRC (when it was a Drupal instance) - this was built by a 3rd party; we don’t have an archived copy
• https://sjlibrary.org - site shared with San Jose State University (SJSU) Library. Data collected by SJPL is anonymized. We will be discussing anonymization with SJSU Library staff.
• Our Catalogs - Encore and Classic - see below
• Digitalcollections.sjlibrary.org - used by our California Room for historical images. We are in the process of transferring to a new vendor for this service and will be aware of privacy issues as that is set up.
• LibCal/LibAnswers/LibChat - Per-user statistics have been disabled so that personally identifiable information cannot be associated with bookings. This resource is shared with SJSU and we are discussing additional privacy options with them, including anonymizing IP addresses and altering the tracking code script.
• Beanstack - is used to track patron reading lists for 1,000 books before kindergarten and Summer Reading program. Information collected includes name, email address, and book titles. We receive a monthly Google Analytics report of activity.

We also use Hot Jar to obtain analytical data on website usage, such as heat maps, screen recordings, and polls. Data is used to improve our library website. All data collected is anonymized. Keystrokes are not recorded.

We provide summary usage reports to library staff, the City of San Jose, California State Library, the Public Library Data Service, and other organizations as requested. All report information is anonymized.

Third Party Scripts and Embedded Content

We currently embed content from YouTube, Flickr, Facebook, Twitter, and Google Maps, and we use scripts from Google Analytics, Google Translate, HotJar, Flickr, New Relic, AddThis, and LibAnswers. We are in the process of evaluating what data is collected through third-party scripts and embedded content and limiting unnecessary data collection.

Electronic Resources

In relation to electronic resource use, SJPL does not collect personally identifiable information about our customers. We gather statistical information from vendors — either by running reports through the vendors’ websites or from reports sent to us by the vendor. This is general usage information that does not contain identifying information.

Some of our vendors do allow us access to reports and features that contain personally identifiable information. That information is only used by the library for assisting patrons with troubleshooting account/technical issues, and is available to a limited number of staff (generally no more than 3 people).

We have prepared a letter that will be sent to vendors that will express our expectation that all of our vendors should:

• Configure services to use opt-in whenever possible for features that involve the collection of personal information.
• Provide customers with options as to how much information is collected from them and how it may be used. Customers should have a choice about whether or not to opt-in to features and services that require the collection of personal information such as borrower history, reading lists, or favorite books.
• Notify customers of their privacy policies at the point of access.
• Provide a method for customers to access, review, correct and delete their personal data.
• Encrypt connections using SSL/HTTPS to provide secure access to digital content
• Notify the library as soon as the vendor is aware of a data or security breach or a breach of the contract's terms.
• Allow customers to uninstall vendor applications and delete associated stored data from personal devices.
• Conduct regular privacy audits and make audit results available to the library for review. Make the results of the review one of the criteria for renewal.
• Limit the amount of personal information collected about users. In general, the library or service provider should collect the minimum personal information required to provide a service or meet a specific operational need.

In future vendor contracts and renewals, we will include the expectation that each vendor:

• Complies with all applicable local, state, and federal laws regarding the confidentiality of library records.
• Conforms to the library’s privacy, data retention, and data security policies.
• Ensure that all subcontractors be required to follow the privacy and data security protection terms in the contract between the library and the vendor, and that the library be notified whenever a subcontractor is employed by the vendor.
• Stipulates that the library retains ownership of all patron data.
• Includes a protocol for responding to government and law enforcement requests for patron data.
• Includes details about what measures the vendor uses to protect retained data, and what security measures it uses to ensure it is safe.
• States the vendor’s responsibilities to notify the library and affected patrons in the event of a data breach.

We are preparing a Digital Materials Strategy, in which we will include privacy expectations (see above) as part of rating criteria for vendor selection/renewal.

We have compiled a list of links to the privacy policies of our vendors. This list is available on the SJPL website. We have also compiled a list of the data collected by each vendor and how it is used. See Appendix A.

We are also in the process of creating a document for patrons informing them of the policies and options of each vendor as well as relevant library policies and procedures. These will be available on the library website and will include:

• Settings for personal accounts on vendor websites.
• Settings for vendor applications on personal devices including any privacy settings and how to remove the application and any associated stored data.
• Library procedures if a vendor experiences a data breach. See Appendix B.

Online Catalog

The online library catalog (Encore and Classic catalog) allows patrons to log into their library account to access checkouts, holds, and other account information which resides on Sierra, our Integrated Library System. See the Access Services white paper for more information. All transactions between the online catalog and Sierra are encrypted.

Patrons are able to choose to turn on a feature that tracks their reading history. This feature is opt-in, and they are able to opt-out at any time. They are also able to create personal book lists, which are not shared with anyone and can be deleted at any time. They may choose to add tags to items in the library catalog and delete them at any time. Staff are able to see the name of the person(s) who added a specific tag. This information is not available to the public.

User Experience Research

The Web Team conducts user experience (UX) research with library patrons, in order to make informed decisions about improving user experience. A signature of informed consent and some general demographic information, such as age range and preferred library locations, is collected. When qualitative interviews are conducted, participants may share details about their lives. This information is typically recorded on paper; then it is uploaded to a research staff member's OneDrive account, and shared with only library staff who are directly involved with the research project.

Video recordings may be produced, especially during usability testing sessions. These recordings are uploaded to a private YouTube account that only designated library staff are able to access. Once these items are loaded, the original recordings and paper artifacts are destroyed. The recordings and any electronic research artifacts with PII are to be kept for no more than two years and are destroyed sooner than that if the project associated with the UX research has been completed. A summary of the research may be retained, but no artifacts with PII will be kept. User behaviors, opinions, and general user characteristics, such as level of technology skills, may be shared with external stakeholders in order to demonstrate how SJPL made a design decision, but no PII or data points that could be inferred or connected to participants are shared.

Action Plan

1. Investigate the impact of collecting this data and considering ways to improve anonymity, such as implementing a Drupal module to anonymize this information. (To be completed June 2018)
2. Continue evaluating what data is collected through third-party scripts and embedded content and limiting unnecessary data collection. (To be completed June 2018)
3. Send letter informing eResource vendors of our privacy requirements.
4. Implement new privacy requirements for all future purchases and bids.
5. Data breach response policy [see Appendix B] (working with IT on this)
6. Provide instructions for users on our website on how to secure their vendor accounts, opt in and opt out when available, and uninstall vendor applications. (To be completed by June 2018)
7. Complete Digital Materials Strategy, which includes expectations of new vendors and renewed vendor contracts. (To be completed June 2018)

Appendix A

Appendix B

Data Breach Response

Web

If we become aware of a data breach, we will work with Library IT to protect users whose data has been breached and take action to secure against future breaches. We will notify our users immediately through any or all of the following:

• Notice on our website
• Email Newsletter
• Email to patrons who may be impacted
• Blog
• Twitter, Facebook, Instagram accounts
• Branch signage if necessary
• Local media outlets

The level of notification will depend on the severity of the breach and the extent to which library users may be impacted.

eResources

With eResources, we rely on our vendors to let us know if there is a data breach. If/when we are alerted to a breach, we will follow any instructions we receive from the vendor and notify our users immediately as above.